Freeradius Proxy scenario help

Matthew Newton mcn4 at
Wed May 24 12:31:10 CEST 2017

On Wed, May 24, 2017 at 10:55:50AM +0100, David Brierley wrote:
> I would like to pass on the Auth part of this to the OTP server.
> E.g. if a request comes in to server 1 it will do radcheck against username
> only, it will then forward the request on to server two that will have the
> same username and then check its password and OTP, The OTP radius server
> will send an accept accept ONLY.

This isn't going to be straightforward as when a request is going
to be proxied it is passed through pre-proxy/post-proxy rather than
authenticate. So you'll never hit authenticate on your first
RADIUS server.

> The original server running MYSQL will then add the rad reply / radgroup
> reply items / AVP's to the reply.

You can do this in post-proxy in theory.

> Main reason is I can keep the OTP server as just doing OTP and have
> multiple instances of Freeradius setup to essentially point the requests to
> the OTP server if they need / Want to.
> The original server can then have control of the rad replies to send to the
> client (Mainly VPN clients).
> It is possible on the OTP server alone however its very messy and to
> implement with MYSQL isn't exactly straight forward.

Maybe you can make the OTP component web-based and use rlm_rest on
the RADIUS servers rather than proxying?


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list